Critical Adobe Flash Update Indicative Of Unrelenting Web Attacks

Adobe Systems issued an emergency, out-of-band security update to its Flash Player software in a move that service providers say is indicative of sustained attacks against Web applications, browsers and browser components.

Adobe said its latest update fixes three vulnerabilities in its ubiquitous Flash Player program, one of which has a publicly available exploit that is being used in attacks against users. The flaws can be used to take complete control of a victim's system, Adobe said in its security bulletin issued Thursday.

The update impacts users of Flash Player in Internet Explorer 10 and 11, Windows, Linux and Macintosh PCs and users of Adobe Air on Android devices, and Windows and Macintosh systems. Adobe gave the flaws its highest priority rating and recommended users update their product installations to the latest version.

Security researchers at network security vendor FireEye said Thursday that the company uncovered a new targeted attack campaign exploiting a Flash zero-day vulnerability. The attacks have targeted at least three nonprofit institutions in a campaign it calls "Operation GreedyWonk.” At least two of the nonprofits targeted focus on national security and public policy, FireEye said.

The Adobe Flash attacks were first uncovered Feb. 13 when FireEye detected what appeared to be a watering-hole-style campaign to visitors of the Peter G. Peterson Institute for International Economics website. Visitors to the site were redirected to a malicious server hosting the Flash zero-day attack. The American Research Center in Egypt and the Smith Richardson Foundation also redirected visitors to their websites to the attack server, FireEye said.

"The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters," the FireEye researchers said in their analysis of the threat.

The attack bypasses Microsoft's Address Space layout Randomization, a threat mitigation measure built into modern versions of Windows. The company urged users to ensure that Java and Microsoft Office software is kept up to date with the latest patches. In addition, FireEye said it detected other malware, including Poison Ivy, a remote access toolkit that has been linked to organized cybercriminals in China and other hacking groups.

"This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics and other nonprofit socio-cultural issues," FireEye said. "The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically."

Solution providers said their clients are increasingly aware of the threat landscape, including targeted attacks carried out by financially motivated cybercriminals, hactivists and cyberespionage groups. Most attacks are targeting vulnerabilities in widely used software, with vulnerabilities in Oracle Java a leading target of cybercriminals, followed by Adobe and Microsoft Office software. Web-based attacks are frequent and sustained using easily obtainable automated attack toolkits.

Many small- and midsize-business owners don't believe they are a target, said Paul Radtke, vice president of technology at Germantown, Wis.-based TSR Solutions. Radtke said service providers are educating clients that attackers are going after businesses up and down the partner supply chain in a bid to get to their ultimate target.

"This is why we do regular penetration testing and give them strategies to reduce their attack surface," Radtke said.

The continued adoption of cloud services and the emergence of BYOD have driven a new wave of buggy applications that can be targeted by attackers, according to application security vendor Cenzic, in an application vulnerability report (.pdf) it issued this week. The firm said it is finding information leakage vulnerabilities, which give cybercriminals the technical details they need to exploit in attacks. It also is continuing to see cross-site scripting, authentication and authorization vulnerabilities and session management errors in the thousands of applications it examined over the past year.

According to Cenzic, 96 percent of applications have vulnerabilities with a median of 14 per application. Not enough organizations have comprehensive tools and practices in place for securing applications, and there needs to be more education and awareness about getting security in the software development cycle, it said.

"We're finding the same problems still creeping up," said a Cenzic official in an interview. "New technologies shaping the market and new threat vectors are evolving every day, creating more opportunities for cybercriminals to come in and extract sensitive data for their purposes."